In Q3 2018, InfoWatch Analytical Center registered almost 20% more confidential data leaks year over year. This is a digest of top five incidents revealed during the period from July to September.
Facebook is all over again. In late September, the largest social network suffered yet another destructive breach. Attackers exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people's accounts. Facebook invalidated the access tokens for all affected accounts, and notified users of the issue asking them to log back in. Also, there was a risk that hackers exploited a vulnerability of View As, a Facebook feature that lets people see what their own profile looks like to someone else. In this case another 40 million accounts could have been exposed.
Sungy Mobile Limited (“GOMO”), one of the world’s leading mobile application developers, leaked details on some 50 million consumers due to a misconfigured backup database. Moreover, deep analysis of the GOMO data revealed that a lot of the company’s development and internal details were exposed as well. It took security experts several days to reach the negligent database owner.
In late summer, a post was published on a Chinese dark web forum offering to buy personal data of 130 million customers of Huazhu, a Chinese hotel chain. The exposed information included names, phone numbers, email addresses, bank account numbers, and booking details. Experts believe that the data could have been leaked when Huazhu programmers uploaded a database to GitHub, a service that allows engineers to collaborate on developing software code.
Here is China again. In early September, Shunfeng Express (SF Express), the second largest delivery services company in China, posted a data breach statement saying that the data of about 300 million of its customers were being sold on the dark web. The entire database was offered for two bitcoins (worth about $14,000 at the time of leak detection), with 100,000 records available for 0.1 bitcoin. Reporters randomly contacted more than 10 people whose data were in the fragment provided by the seller, and all respondents confirmed that their personal data were real and that they all had used SF Express to send or receive goods.
In September, a security researcher found an exposed database containing customer records of Veeam, a Swiss vendor of data backup, recovery and virtual infrastructure monitoring software. The database didn’t have a password and could be accessed by anyone knowing where to look. The compromised details included 400+ million email addresses and other records made over a four-year period between 2013 and 2017.